i'm trying to configure Google authenticator on my Asus Router OPENVPN server.
everything is ok if i use the OTP as password, but it failed when i activate the "Static-challenge" option.
It's very strange because the authentification plugin status is OK after validating the login/password with pam_unix and the OPT with google-authneticator, but the TLS auth failed
It seams that TLS auth needs for the username/password...
here is the syslog
Syslog
1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: USER: adm
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: parsed static challenge password
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/lib/pam_unix.so
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Login:' style=2
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Login:', 'login'] = 'USERNAME'
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password:' style=1
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password:', 'password'] = 'PASSWORD'
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): /usr/lib/pam_unix.so: pam_sm_authenticate(): success
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): calling pam_sm_authenticate() in /jffs/addons/google_authenticator/lib/pam_google_authenticator.so
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: start of google_authenticator for "adm"
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: Secret file permissions are 0400. Allowed permissions are 0400
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: "/jffs/.google_authenticator" read
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: shared secret in "/jffs/.google_authenticator" processed
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: google_authenticator for host "(null)"
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=1
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: no scratch code used from "/jffs/.google_authenticator"
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: Accepted google_authenticator for adm
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: "/jffs/.google_authenticator" written
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: end of google_authenticator for "adm". Result: success
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): /jffs/addons/google_authenticator/lib/pam_google_authenticator.so: pam_sm_authenticate(): success
Mar 1 11:19:22 ovpn-server1[13821]: 192.168.2.254:64480 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 1 11:19:22 ovpn-server1[13821]: 192.168.2.254:64480 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: parsed static challenge password
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/lib/pam_unix.so
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Login:' style=2
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Login:', 'login'] = 'USERNAME'
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password:' style=1
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password:', 'password'] = 'PASSWORD'
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): /usr/lib/pam_unix.so: pam_sm_authenticate(): success
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): calling pam_sm_authenticate() in /jffs/addons/google_authenticator/lib/pam_google_authenticator.so
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: start of google_authenticator for "adm"
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: Secret file permissions are 0400. Allowed permissions are 0400
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: "/jffs/.google_authenticator" read
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: shared secret in "/jffs/.google_authenticator" processed
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: google_authenticator for host "(null)"
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=1
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: no scratch code used from "/jffs/.google_authenticator"
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: Accepted google_authenticator for adm
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: "/jffs/.google_authenticator" written
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: end of google_authenticator for "adm". Result: success
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): /jffs/addons/google_authenticator/lib/pam_google_authenticator.so: pam_sm_authenticate(): success
Mar 1 11:19:22 ovpn-server1[13821]: 192.168.2.254:64480 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 1 11:19:22 ovpn-server1[13821]: 192.168.2.254:64480 TLS Auth Error: Auth Username/Password verification failed for peer
as you see pam_unix and google_authenticator are both succes, the openvpn-plugin-auth-pam is Ok (status=0) but the TLS auth is failed
and the configuration files
pam.d openvpn file
account required pam_unix.so
auth required pam_unix.so debug
auth required /jffs/addons/google_authenticator/lib/pam_google_authenticator.so secret='/jffs/.google_authenticator' user=adm authtok_prompt=pin debug
Server Config
daemon ovpn-server1
topology subnet
server XXX.XXX.XXX.XXX 255.255.255.0
proto udp6
multihome
port XXXXX
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 5
push "route XXX.XXX.XXX.XXX 255.255.255.0 vpn_gateway 500"
duplicate-cn
push "redirect-gateway def1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5
# Custom Configuration
plugin /usr/lib/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
setenv verb 9a
Client Config
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX YYYY
resolv-retry infinite
static-challenge "Enter 2FA code:" 1
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
I'm using OPENVPN 2.5.7
Any advice ?
Thanks for your help